by certifiedbug on June 11, 2008
in Security
Brian Krebs reports for the Washinton Post.
Malware Silently Alters Wireless Router Settings
Philip Sloss, a software engineer for myNetwatchman.com, said he first observed the activity while examining a Zlob variant distributed on May 22. The DNS hijack occurs, he said, during the installer program, so by the time the user sees the fake codec installer screen, the malware has already attempted to change DNS settings on the victim’s router.
I reached out to researchers at Sunbelt Software to check Sloss’s data, and Sunbelt was able to confirm that the malware successfully changed the DNS settings on a Linksys router (model BEFSX41), pulled straight out of the factory box (with the default username and password). Another test showed that the Zlob variant successfully changed the DNS settings on a Buffalo router running the DD-WRT open source firmware.
Sunbelt also found that if there are multiple machines using the same router, all of the systems connected to that router will have their traffic hijacked.
Article
by certifiedbug on June 11, 2008
in Rogue
The latest rogue installed through the Zlob Trojan.
How to remove AntiSpyCheck
If you have an infected computer and would feel more comfortable being assisted by a trained malware remover helper, please start a topic at one of the forums. Short but trusted list in the right hand column.
Certifiedbug: Fake Security Programs
by certifiedbug on February 8, 2008
in Rogue
VirusHeat. Can’t say it enough, Rogue!
VirusHeat is installed on your computer when you download and install a Trojan masquerading as a video or audio codec required to view a movie on the Internet. These fake codecs are know as Zlob Trojans. Once you install these programs, though, they install VirusHeat onto your computer along with other malware without your permission.
When the Zlob Trojan is installed, it automatically downloads and installs VirusHeat onto your computer. It will then configure your computer to automatically start another Trojan that displays fake security alerts in your taskbar that states you are infected or have some other security problem on your computer. When you click these alerts, VirusHeat automatically opens and scans your computer. This scan will not only display fake and exaggerated results, but will also find the Trojan that installed it in the first place. The scam, though, is that in order to remove anything you must first pay for the commercial version of this software. It goes without saying that by no means should you purchase this scamware.
How to remove VirusHeat (Removal Instructions)
http://www.bleepingcomputer.com/forums/topic130080.html
by certifiedbug on October 23, 2007
in Rogue
The Zlob Trojan Downloader typically poses as audio or video codecs, required to be installed on your computer so you can watch or listen to certain media.
VirusRay is just the latest infection that downloads and installs rogue anti-spyware programs and displays fake security alerts in your Windows taskbar.
When the Zlob infection downloads and installs VirusRay, VirusRay will automatically start and perform a scan of your computer. When done scanning, VirusRay will state that it found Trojans on your computer. The funny thing is that the Trojans VirusRay finds are the actual ones that were used to install it in the first place. In order to remove these Trojans, though, you will be required to purchase the full version of the software. This is obviously a scam and you should not purchase this software under any circumstances.
Removal instructions at Bleeping Computer.
by certifiedbug on April 28, 2007
in Rogue
There are many Rogue antispyware programs, some of which will actually infect your machine rather than clean it. Or at the least, prove useless.
Countless victims seen in the help forums are infected by the Zlob trojan, which poses as a codec (compressor/decompressor) needed to view a video, often downloaded from websites with adult content.
Zlob installs a variety of fake malware and alerts users to download a rogue anti-spyware program to remove it, or installs the program on your computer without permission.
Rogue programs include those which rip off legitimate antispyware programs by playing on names.
As Bill Pytlovany blogged at “Bits from Bill”:
AntiSpyware Advertising Gets Nasty
I’m pretty confident, both Spywarebot ads are from the same company who have a couple dozen AntiSpyware products available under different names and domains. Neither are related to the popular “Spybot, Search and Destroy” program.
Doing one’s homework before downloading, can save you a much bigger headache than the time it takes to read.
Rogue/Suspect Anti-Spyware Products & Web Sites
by certifiedbug on August 21, 2006
in Rogue
VirusRescue has been noticed by the security community and gained itself a spot on the Rogue/Suspect Anti-Spyware Products & Web Sites list
Most recent additions: AntiSpyware Soldier (8-21-06), VirusRescue (8-21-06), VirusBlast (8-1-06), Spyware Removal Wizard (8-1-06), Easy SpyRemover (8-1-06), 1-2-3 Spyware Free (8-1-06), AdwareFinder (7-8-06), SpyHeal (7-8-06), Xmembytes AntiSpyware (6-13-06), TitanShield AntiSpyware (6-13-06), Trust Cleaner (6-13-06), KillAndClean (6-13-06), RemoveIT Pro (5-24-06), SpywareBot (5-14-06), SpyOnThis (5-7-06), Spyware Sheriff (5-7-06), Spyware Scrapper (5-7-06)
At Security Cadets someone using the name ‘VirusRescue’ posted refuting the information AndyAtHull had posted.
VirusRescue is not a Trojan and is not a rogue software. VirusRescue really removes all the infections from your PC and has on of the best scanning & detection engines in industry and is supported by daily database updates. It removes everything including mentioned SpywareQuake. VirusRescue has nothing to do with Spyheal and SpywareQuake.
suzi responded:
To VirusRescue:VirusRescue qualifies as rogue software based on it’s distribution methods regardless of its ability to clean spyware/viruses. Your program is being *PROMOTED* by malware — the fake codecs that are Zlob variants.
If you have this pest on your computer you can go to one of the Security Forums listed here in the right side panel for advice in it’s removal and to see if any other undesirables are lurking.
Nick at Security Ticker did a writeup with screenshots on Thursday, August 10, 2006
VirusRescue Appears to be New Trojan
